Hey John,
Awesome response :)
But I am not setting any dns records by hand. I did it *prior* to
FreeIPA. We are using naked Kerberos and ldap as-is. So thats where the
DNS RR are coming from.
Does "Dont run IPA on a domain thats in use" mean "entire domain" or
"Subdomain is OK"?
kdcproxy.. nat.. does not really sound awesome to be honest.
Would a setup on
auth.company.com (realm, domain, etc) have and
disadvantages? I could simply add dns srv records from
company.com to
auth.company.com?
And it's okay I guess if the host keytabs look like
host/server.company.com(a)AUTH.COMPANY.COM
I am slowly getting there :)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland